Compromised security key 'responsible for Uber breach'

A security key published on a public Github page appears to be the source of a data breach that affected 50,000 Uber drivers.

A security key published on a public Github page is believed to have been the source of a data breach that compromised the personal details of up to 50,000 Uber drivers, it has been revealed.

The app-based taxi company revealed details of the incident last week, stating that it had identified a "one-time access" of a secure database by an unauthorised party. In a blog post, managing counsel of data privacy at the company Katherine Tassi said Uber had learned on September 17th last year about the potential for a breach, and further investigation confirmed the database was accessed earlier in 2014.

It appears that the intruder gained access to the network through the use of a security key that had appeared in a public page on Github. This was revealed in a subpoena sent by Uber to the web-based source code repository service, which aims to force the service to hand over the IP addresses of every user that accessed the page in question.

"On or around May 12, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used the unique security key to download Uber database files containing confidential and proprietary information from Uber's protected computers," Uber's subpoena stated.

Whether the security key was contained in leaked information or source code published by Uber itself that should not have been made public is not clear, but Github has warned developers many times to avoid uploading data to the service that contains sensitive information such as login details.

However, the data it is looking for in its hunt to identify the responsible party may not provide much useful information. Even if Uber is able to track an IP address to a Github user, there is no guarantee that the customer is actually the guilty party, as attackers frequently look to cover their tracks by using other people's computers as proxies.

Uber is also facing questions about the length of time it took to inform its drivers about the theft of their information. More than five months elapsed between the company discovering the breach and it making the disclosure - far longer than local laws allow in many of the jurisdictions in which the firm operates.

The company has offered drivers a year's free subscription to Experian's ProtectMyID service to alert them of any identity theft attempts, but the breach is just the latest in a line of poor publicity stories for the firm.